HAWAII A.G. LOPEZ URGES UNITEDHEALTH GROUP TO HELP PATIENTS AND PROVIDERS HARMED BY CYBERATTACK

HONOLULU, Hawaii, April 26 -- Hawaii Attorney General Anne E. Lopez issued the following news release on April 25, 2024:

Attorney General Anne Lopez announced today she has joined a bipartisan, multistate coalition of 22 attorneys general in sending a letter to UnitedHealth Group, Inc. -- the nation's largest health insurer and the parent company of Change Healthcare -- urging the corporation to take more meaningful action to better protect providers, pharmacies and patients harmed by the recent catastrophic outage of Change Healthcare.

Change Healthcare runs the nation's largest clearinghouse for electronic healthcare data. Its technological infrastructure is used by tens of thousands of providers, pharmacies, and insurers to verify insurance, confirm pre-authorization of procedures or services, exchange insurance claims data, and perform other administrative tasks essential to the delivery of health care.

On February 21, 2024, Change Healthcare experienced a cyberattack by ALPHV/Blackcat, which crippled its platform. In the intervening weeks, providers, pharmacies and facilities have reported disruptions to care infrastructure, inability to verify insurance coverage or obtain prior authorization, and inability to process claims or obtain reimbursements. Patients report delayed or denied access to prescription drugs, and scheduling appointments or procedures.

"Here in Hawaii, we have heard from local medical providers who say the cyberattack is causing issues with access by way of delayed insurance authorizations and claim reimbursements. This is unacceptable. We need UnitedHealth Group to step up and do more to protect patients and providers," said Attorney General Anne Lopez.

In the letter, Attorney General Lopez and the coalition call upon UnitedHealth Group to act quickly to limit the harm to the states' care providers and patients. Specifically, they ask UnitedHealth Group to take the following steps:

* Enhance and expand financial assistance, free of onerous terms, to all affected providers, facilities, and pharmacies.

* Ensure its financial assistance programs are not providing more advantageous financial assistance to providers, practices, or facilities that are owned by UnitedHealth Group.

* Shield the business information of providers and pharmacies from United's other corporate lines of business.

* Suspend requirements for prior authorizations, contemporaneous notifications of change of status, and other documentation requirements.

* Provide a dedicated help line for providers, facilities, and pharmacies, and state Attorneys General.

* Proactively inform providers, facilities, pharmacies, and industry groups of the steps they can take to preserve claims and receive prompt reimbursement.

* Expeditiously resolve the claims backlog and ensure prompt reimbursement of claims.

* Ensure providers, facilities, pharmacies, regulators, affected patients, and the public are informed of what data was compromised and what steps, if any, are needed for providers and patients to mitigate future identity theft or systems risks.

UnitedHealth Group acquired Change Healthcare in 2022.

Joining Attorney General Lopez in sending the letter to UnitedHealth Group are a bipartisan group of attorneys general from Arizona, California, Connecticut, the District of Columbia, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Hampshire, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, South Dakota, Utah, Vermont, and Washington.

* * *

April 25, 2024

To: Mr. Andrew Witty, Chief Executive Officer, UnitedHealth Group Inc., 9900 Bren Road East, Minnetonka, MN 55343, [email protected]

Re: Change Healthcare Disruptions

Dear Mr. Witty:

The undersigned Attorneys General write to express our concern with UnitedHealth Group Inc. subsidiary Change Healthcare's response to the lengthy disconnection and subsequent limited restoration of its platform services as a result of a cyberattack. Providers, pharmacies, and patients have reported catastrophic disruptions and wholly inadequate responses from Change Healthcare and its payor partners that either directly or indirectly rely upon Change. Health care entities and pharmacies within our jurisdictions have indicated that they are in jeopardy of collapse. Patients describe disruptions to their care and delayed or denied access to prescription drugs as a consequence of Change Healthcare's failures. You must do more than you are currently to avoid imposing further harm to our states' health care infrastructure and the patients who rely upon it.

On February 21, 2024, Change Healthcare reported enterprise-wide connectivity issues and the unavailability of some applications./1 Over the next several days, United continued to communicate that Change Healthcare was "experiencing a cyber security issue" but that other systems at UnitedHealthcare and UnitedHealth Group were still functional./2 More than a week later, Change Healthcare indicated the cybersecurity incident was an attack by ALPHV/Blackcat. United asserted, "Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need."/3

On March 1, there were several developments. First, United reported it had "completed standing up a new instance of Change Healthcare's Rx ePrescribing service. (Clinical exchange ePrescribing providers' tools are still not operational.)"/4 Second, Optum launched a Temporary Funding Assistant Program./5 And, third, a Bitcoin wallet tied to cybersecurity threat actor ALPHV/Blackcat received a $22 million suspected ransom payment./6 On March 7, United announced that it had launched a "[n]ew instance of the Rx Connect (Switch) service" and was "working to restore full service and connectivity claim traffic, and had thus begun enabling Rx Connect, Rx Edit, and Rx Assist services."/7

As of United's March 28 update, Change was still working to restore access for providers that lost claims and ERA connectivity, and pledging to work "[o]ver the next several weeks . . . with government payers and intermediaries to transition providers enrolled in Change Healthcare connections to the Optum iEDI Clearinghouse."/8 In that update, issued more than a month after the initial disruption, United continued to urge partners and providers to "please allow us and the payers time to complete this effort."/9

Since February 21, 2024, the undersigned Attorneys General have received a series of increasingly dire messages from facilities, care providers, and patients in our states. They report disruptions to care and prescription drug access, catastrophic billing and payment backlogs, and other problems stemming from the extended breakdown of Change Healthcare. Facilities that use Change Healthcare as their backbone to track services and claims have been unable to timely complete prior authorizations, confirm benefits, document and submit claims, and in some instances have even lost access to basic care IT infrastructure.

Though providers and facilities who directly contract with Change Healthcare reported the most substantial impacts to their ability to continue providing care and remain solvent, they were not the only parties affected by the outage. As you are intimately aware, Change Healthcare's platform is woven throughout the nation's health care delivery infrastructure./10 Even parties who do not wittingly use Change Healthcare have endured the effects of Change's failures as insurers-- BlueCross, UCare, and others--have seen their systems hobbled by the disruption of Change. As a consequence, care providers and facilities initially had to choose whether to provide care or prescriptions to patients without completing the requisite approvals and preapprovals (thus risking they would later not be reimbursed by insurers) or refusing to provide those services and jeopardizing the health of patients. The overwhelming majority of providers continued to provide care in good faith. Accordingly, they continued to accumulate claims they could not submit through any commercially reasonable or scalable process, and they continued to amass financial obligations to their providers, vendors, and others they could not pay without reimbursements coming through the door. Facing these immediate financial burdens, some took out lines of credit or loans to pay rent and payroll. These impacts are particularly acute for small independent providers who do not retain bookkeeping and IT staff to navigate other avenues of documentation and claims submission.

To date, both Change Healthcare's and UnitedHealth Group's responses to the crisis have been inadequate. Care providers and non-UHG facilities are unable to reach Change Healthcare staff who can provide timely information about what data has been breached, which patients and systems may have ongoing cyber vulnerability, to what extent independent analysis has been completed to ensure vulnerabilities have been reduced or eliminated, how they can receive financial support that does not impose unreasonable conditions such as waiver of liability, or how they can document and submit claims during the outage. For the limited subset who have successfully navigated Change's and United's financial help systems, the offer of financial support has been paltry, with independent providers being quoted relief of as little as $10 per week. Furthermore, some providers understand that accepting short-term financial aid will waive any claims they may have against Change or United as a consequence of the breach. We are also deeply concerned by the perception that practices owned by United may be getting more immediate relief and more favorable terms from the financial assistance program.

The undersigned Attorneys General are writing to inform you that you have an obligation to take action to limit the harm to our states' care providers and patients. Immediate steps must be taken to protect our care infrastructure for the duration of the outage and in the weeks following while Change, United, and all other plans and providers work through the backlog of claims:

* Enhance and expand financial assistance to all affected providers, facilities, and pharmacies. We understand that some initial onerous terms, such as a waiver of claims, have been removed. Obtaining financial assistance should not require an affected entity to agree to choice of law, choice of venue, statute of limitations, or other onerous terms. We encourage Change to further revise its terms to provide longer pay back periods and permit repayment through offsets of claims paid.

* Ensure your financial assistance programs are not providing more advantageous financial assistance to providers, practices, or facilities that are owned by United or one of its subsidiaries.

* Shield the business information of providers and pharmacies from United's other corporate lines of business (e.g., Optum as a provider and United as an insurer).

* Suspend requirements for prior authorizations, contemporaneous notifications of change of status, and other documentation requirements, the absence of which United would ordinarily use as a basis to deny claims and encourage other carriers to do the same.

* Provide a dedicated help line for providers, facilities, and pharmacies to resolve unanswered questions or stalled claims, and adequately staff it such that questions are resolved promptly.

* Provide a dedicated complaint resolution mechanism for state Attorneys General and relevant state agencies.

* Proactively inform providers, facilities, pharmacies, and industry groups associated with each, of the steps they can take to preserve claims and receive prompt reimbursement.

* Expeditiously resolve the claims backlog and ensure prompt reimbursement of claims.

* Ensure providers, facilities, pharmacies, regulators, affected patients, and the public are informed of what data was compromised and what steps, if any, are needed for providers and patients to mitigate future identity theft or systems risks.

* Provide to the undersigned offices independent analysis confirming your companies' systems are secure and the vulnerabilities that contributed to the cyberattack have been addressed.

* Identify the specific steps you are taking to expeditiously resolve the claims backlog and ensure prompt reimbursement of claims and provide an update as to what percentage of providers are fully reconnected to Change.

While we expect that your companies will take these actions, please understand that this letter should not be construed as a settlement offer, waiver, or suspension of any ongoing or contemplated investigations or other legal action that the undersigned Attorneys General may take against your companies. The undersigned expressly reserve all rights available to them.

We trust that, after receiving this letter, your companies will work with the Attorneys General to assist our providers, pharmacies, and patients who have been adversely affected by the cyberattack.

We look forward to a prompt update on your efforts.

Sincerely,

/s/ Keith Ellison

KEITH ELLISON

Minnesota Attorney General

/s/ Rob Bonta

ROB BONTA

California Attorney General

/s/ Brian L. Schwalb

BRIAN L SCHWALB

District of Columbia Attorney General

/s/ Aaron M. Frey

AARON M. FREY

Maine Attorney General

/s/ Dana Nessel

DANA NESSEL

Michigan Attorney General

/s/ Mike Hilgers

MIKE HILGERS

Nebraska Attorney General

/s/ John Formella

JOHN FORMELLA

New Hampshire Attorney General

/s/ Josh Stein

JOSH STEIN

North Carolina Attorney General

/s/ Kris Mayes

KRIS MAYES

Arizona Attorney General

/s/ William Tong

WILLIAM TONG

Connecticut Attorney General

/s/ Anne E. Lopez

ANNE E. LOPEZ

Hawaii Attorney General

/s/ Andrea Joy Campbell

ANDREA JOY CAMPBELL

Massachusetts Attorney General

/s/ Lynn Fitch

LYNN FITCH

Mississippi Attorney General

/s/ Aaron D. Ford

AARON D. FORD

Nevada Attorney General

/s/ Letitia James

LETITIA JAMES

New York Attorney General

/s/ Ellen F. Rosenblum

ELLEN F. ROSENBLUM

Oregon Attorney General

/s/ Michelle A. Henry

MICHELLE A. HENRY

Pennsylvania Attorney General

/s/ Marty J. Jackley

MARTY J. JACKLEY

South Dakota Attorney General

/s/ Charity R. Clark

CHARITY R. CLARK

Vermont Attorney General

/s/ Peter F. Neronha

PETER F. NERONHA

Rhode Island Attorney General

/s/ Sean D. Reyes

SEAN D. REYES

Utah Attorney General

/s/ Bob Ferguson

BOB FERGUSON

Washington Attorney General

* * *

Footnotes:

1/ UnitedHealth Group, Update: Some applications are experiencing connectivity issues, Optum Solutions Status, https://solution-status.optum.com/incidents/hqpjz25fn3n7 (last visited March 28, 2024).

2/ Id.

3/ Devna Bose, A large US health care tech company was hacked. It's leading to billing delays and security concerns, Associated Press (Feb. 29, 2024), https://apnews.com/article/change- cyberattack-hospitals-pharmacy-alphv-unitedhealthcare-521347eb9e8490dad695a7824ed11c41 (last visited Mar. 28, 2024).

4/ UnitedHealth Group, Update: Some applications are experiencing connectivity issues, Optum Solutions Status, https://solution-status.optum.com/incidents/hqpjz25fn3n7 (last visited Mar. 28, 2024).

5/ Optum, Temporary Funding Assistance Program for providers, https://www.optum.com/en/business/providers/health-systems/payments-lending- solutions/optum-pay/temporary-funding-assistance.html (last visited Mar. 28, 2024).

6/ Andy Greenberg, Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment, Wired (Mar. 4, 2024 12:41 PM), https://www.wired.com/story/alphv- change-healthcare-ransomware-payment/ (last visited Mar. 28, 2024).

7/ UnitedHealth Group, Update: Some applications are experiencing connectivity issues, Optum Solutions Status, https://solution-status.optum.com/incidents/hqpjz25fn3n7 (last visited Mar. 28, 2024).

8/ Id.

9/ Id

10/ Before UHG bought Change, Change concluded that the "healthcare system, and how payers and providers interact and transact, would not work without Change Healthcare." Complaint,

25, https://www.justice.gov/atr/case- document/file/1476901/dl#:~:text=Change's%20internal%20business%20documents%20recogni ze,payers%20and%20providers%20interact%20and; Opening Slides at 10, https://www.justice.gov/media/1235956/dl?inline; Department of Justice et al. v. United Health Group Inc. and Change Healthcare Inc.

* * *

Original text here: https://ag.hawaii.gov/wp-content/uploads/2024/04/News-Release-2024-20.pdf